proxylib

package
v1.5.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 8, 2019 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	MORE   OpType = C.FILTEROP_MORE
	PASS   OpType = C.FILTEROP_PASS
	DROP   OpType = C.FILTEROP_DROP
	INJECT OpType = C.FILTEROP_INJECT
	ERROR  OpType = C.FILTEROP_ERROR
	// Internal types not exposed to Caller
	NOP OpType = 256

	ERROR_INVALID_OP_LENGTH    OpError = C.FILTEROP_ERROR_INVALID_OP_LENGTH
	ERROR_INVALID_FRAME_TYPE   OpError = C.FILTEROP_ERROR_INVALID_FRAME_TYPE
	ERROR_INVALID_FRAME_LENGTH OpError = C.FILTEROP_ERROR_INVALID_FRAME_LENGTH
)

Variables

This section is empty.

Functions

func CloseInstance 

func CloseInstance(id uint64) uint64

Close returns the new open count

func OpenInstance 

func OpenInstance(nodeID string, xdsPath string, newPolicyClient func(path, nodeID string, updater PolicyUpdater) PolicyClient,
	accessLogPath string, newAccessLogger func(accessLogPath string) AccessLogger) uint64

OpenInstance creates a new instance or finds an existing one with equivalent parameters. returns the instance id.

func ParseError 

func ParseError(reason string, config interface{})

ParseError may be issued by Policy parsing code. The policy configuration change will be graciously rejected by recovering from the panic.

func RegisterL7RuleParser 

func RegisterL7RuleParser(l7PolicyTypeName string, parserFunc L7RuleParser)

RegisterL7Parser adds a l7 policy protocol protocol parser to the map of known l7 policy parsers. This is called from parser init() functions while we are still single-threaded

func RegisterParserFactory 

func RegisterParserFactory(name string, parserFactory ParserFactory)

RegisterParserFactory adds a protocol parser factory to the map of known parsers. This is called from parser init() functions while we are still single-threaded

Types

type AccessLogger 

type AccessLogger interface {
	Log(pblog *cilium.LogEntry)
	Close()
	Path() string
}

type Connection 

type Connection struct {
	Instance   *Instance // Holder of POlicy protocol and access logging clients
	Id         uint64    // Unique connection ID allocated by the caller
	Ingress    bool      // 'true' for ingress, 'false' foe egress
	SrcId      uint32    // Source security ID, may be mapped from the source IP address
	DstId      uint32    // Destination security ID, may be mapped from the destination IP address
	SrcAddr    string    // Source IP address in "a.b.c.d:port" or "[A:...:C]:port" format
	DstAddr    string    // Original destination IP address
	PolicyName string    // Identifies which policy instance applies to this connection
	Port       uint32    // (original) destination port number in numeric format

	ParserName string    // Name of the parser
	Parser     Parser    // Parser instance used on this connection
	OrigBuf    InjectBuf // Buffer for injected frames in original direction
	ReplyBuf   InjectBuf // Buffer for injected frames in reply direction
}

Connection holds the connection metadata that is used both for policy enforcement and access logging.

func NewConnection 

func NewConnection(instance *Instance, proto string, connectionId uint64, ingress bool, srcId, dstId uint32, srcAddr, dstAddr, policyName string, origBuf, replyBuf *[]byte) (error, *Connection)

func (*Connection) CheckOnData 

func (conn *Connection) CheckOnData(c *C, reply, endStream bool, data *[][]byte, expResult FilterResult, expReplyBuf []byte, expOps ...interface{})

func (*Connection) CheckOnDataOK 

func (conn *Connection) CheckOnDataOK(c *C, reply, endStream bool, data *[][]byte, expReplyBuf []byte, expOps ...interface{})

func (*Connection) Inject 

func (connection *Connection) Inject(reply bool, data []byte) int

inject buffers data to be injected into the connection at the point of INJECT

func (*Connection) IsInjectBufFull 

func (connection *Connection) IsInjectBufFull(reply bool) bool

isInjectBufFull return true if the inject buffer for the indicated direction is full

func (*Connection) Log 

func (conn *Connection) Log(entryType cilium.EntryType, l7 *cilium.LogEntry_GenericL7)

func (*Connection) Matches 

func (connection *Connection) Matches(l7 interface{}) bool

func (*Connection) OnData 

func (connection *Connection) OnData(reply, endStream bool, data *[][]byte, filterOps *[][2]int64) (res FilterResult)

type FilterResult 

type FilterResult int
const (
	OK                 FilterResult = C.FILTER_OK
	POLICY_DROP        FilterResult = C.FILTER_POLICY_DROP
	PARSER_ERROR       FilterResult = C.FILTER_PARSER_ERROR
	UNKNOWN_PARSER     FilterResult = C.FILTER_UNKNOWN_PARSER
	UNKNOWN_CONNECTION FilterResult = C.FILTER_UNKNOWN_CONNECTION
	INVALID_ADDRESS    FilterResult = C.FILTER_INVALID_ADDRESS
	INVALID_INSTANCE   FilterResult = C.FILTER_INVALID_INSTANCE
)

func (FilterResult) Error 

func (r FilterResult) Error() string

Error() implements the error interface for FilterResult

type InjectBuf 

type InjectBuf *[]byte

InjectBuf is a pointer to a slice header for an inject buffer allocated by the proxylib caller. As data is placed into the buffer, the length of the buffer in the slice header is increased correspondingly. To make the the injected data visible to the caller we need to pass the slice header by reference rather than by value, hence the pointer in the type. As the caller is typically in a differnent memory management domain (not subject to Go runtime garbage collection), the underlying buffer may never be expanded or otherwise reallocated.

type Instance 

type Instance struct {
	// contains filtered or unexported fields
}

func FindInstance 

func FindInstance(id uint64) *Instance

func NewInstance 

func NewInstance(nodeID string, accessLogger AccessLogger) *Instance

func (*Instance) CheckInsertPolicyText 

func (ins *Instance) CheckInsertPolicyText(c *C, version string, policies []string)

func (*Instance) CheckNewConnection 

func (ins *Instance) CheckNewConnection(c *C, proto string, ingress bool, srcId, dstId uint32, srcAddr, dstAddr, policyName string) (error, *Connection)

func (*Instance) CheckNewConnectionOK 

func (ins *Instance) CheckNewConnectionOK(c *C, proto string, ingress bool, srcId, dstId uint32, srcAddr, dstAddr, policyName string) *Connection

func (*Instance) InsertPolicyText 

func (ins *Instance) InsertPolicyText(version string, policies []string, expectFail string) error

func (*Instance) Log 

func (ins *Instance) Log(pblog *cilium.LogEntry)

func (*Instance) PolicyMatches 

func (ins *Instance) PolicyMatches(endpointPolicyName string, ingress bool, port, remoteId uint32, l7 interface{}) bool

func (*Instance) PolicyUpdate 

func (ins *Instance) PolicyUpdate(resp *envoy_api_v2.DiscoveryResponse) (err error)

Update the PolicyMap from a protobuf. PolicyMap is only ever changed if the whole update is successful.

type L7NetworkPolicyRule 

type L7NetworkPolicyRule interface {
	Matches(interface{}) bool
}

Each L7 rule implements this interface

type L7RuleParser 

type L7RuleParser func(rule *cilium.PortNetworkPolicyRule) []L7NetworkPolicyRule

L7RuleParser takes the protobuf and converts the oneof relevant for the given L7 to an array of L7 rules. A packet matches if the 'Matches' method of any of these rules matches the 'l7' interface passed by the L7 implementation to PolicyMap.Matches() as the last parameter.

type OpError 

type OpError int64

func (OpError) String 

func (opErr OpError) String() string

type OpType 

type OpType int64

func (OpType) String 

func (op OpType) String() string

type Parser 

type Parser interface {
	// OnData() is called when input is available on the underlying connection. The Parser
	// instance is only ever used for processing data of a single connection, which allows
	// the parser instance to keep connection specific state. All OnData() calls for a
	// single connection (both directions) are made from a single thread, so that
	// no locking is needed for the parser instance if no other goroutines need to access
	// the parser instance. (Note that any L7 policy protocol rule parsing happens in
	// other goroutine so any such parsing should not access parser instances directly.)
	//
	// OnData() parameters are as follows:
	// 'reply' is 'false' for original direction of the connection, 'true' otherwise.
	// 'endStream' is true if there is no more data after 'data' in this direction.
	// 'data' is the available data in the current direction. The datapath buffers
	//        partial frames as instructed by the operations returned by the parser
	//        so that the 'data' always starts on a frame boundary. That is, whenever
	//        the parser returns `MORE` indicating it needs more input, the bytes
	//        not 'PASS'ed or 'DROP'ped are retained in a datapath buffer and those
	//        same bytes are passed to the parser again when more input is available.
	//        'data' may be an empty slice, but the slices contained are never empty.
	//
	// OnData() returns an operation and the number of bytes ('N') the operation applies.
	// The possible values for 'op' are:
	// 'MORE' -   Data currently in 'data' is to be retained by the datapath and passed
	//            again to OnData() after 'N' bytes more data is available.
	// 'PASS' -   Allow 'N' bytes.
	// 'DROP' -   Drop 'N' bytes and call OnData() again for the remaining data.
	// 'INJECT' - Insert 'N' bytes of data placed into the inject buffer in to the
	//            data stream in this direction.
	// 'NOP' -    Do nothing, to be used when it is known if no more input
	//            is to be expected.
	// 'ERROR' -  Protocol parsing failed and the connection should be closed.
	//
	// OnData() is called again after 'PASS', 'DROP', and 'INJECT' with the remaining
	// data even if none remains.
	OnData(reply, endStream bool, data [][]byte) (op OpType, N int)
}

A parser instance is used for each connection. OnData will be called from a single thread only.

type ParserFactory 

type ParserFactory interface {
	Create(connection *Connection) Parser // must be thread safe!
}

func GetParserFactory 

func GetParserFactory(name string) ParserFactory

type PolicyClient 

type PolicyClient interface {
	Close()
	Path() string
}

type PolicyInstance 

type PolicyInstance struct {
	Ingress PortNetworkPolicies
	Egress  PortNetworkPolicies
	// contains filtered or unexported fields
}

func (*PolicyInstance) Matches 

func (p *PolicyInstance) Matches(ingress bool, port, remoteId uint32, l7 interface{}) bool

type PolicyMap 

type PolicyMap map[string]*PolicyInstance

Network policies keyed by endpoint policy names

type PolicyUpdater 

type PolicyUpdater interface {
	PolicyUpdate(resp *envoy_api_v2.DiscoveryResponse) error
}

type PortNetworkPolicies 

type PortNetworkPolicies struct {
	Rules map[uint32]PortNetworkPolicyRules
}

func (*PortNetworkPolicies) Matches 

func (p *PortNetworkPolicies) Matches(port, remoteId uint32, l7 interface{}) bool

type PortNetworkPolicyRule 

type PortNetworkPolicyRule struct {
	AllowedRemotes map[uint64]struct{}
	L7Rules        []L7NetworkPolicyRule
}

func (*PortNetworkPolicyRule) Matches 

func (p *PortNetworkPolicyRule) Matches(remoteId uint32, l7 interface{}) bool

type PortNetworkPolicyRules 

type PortNetworkPolicyRules struct {
	Rules       []PortNetworkPolicyRule
	HaveL7Rules bool
}

func (*PortNetworkPolicyRules) Matches 

func (p *PortNetworkPolicyRules) Matches(remoteId uint32, l7 interface{}) bool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.